EXPLORE DETECTIONS
Disable Strong Authentication (Microsoft Entra ID)
Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed. Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.
Dll-Side Loading Detection Query
The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/DLL-Side-Loading-Detection.md)
Dll-Side Loading Detection Query
The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/DLL-Side-Loading-Detection.md)
DNS Resolutions from Browser Processes
This query correlates web browser process executions with their DNS queries to identify which domains were resolved by browser processes on specific endpoints
DNS Resolutions from Browser Processes
This query correlates web browser process executions with their DNS queries to identify which domains were resolved by browser processes on specific endpoints
DNS Staging Detection: ClickFix-Inspired nslookup Execution
Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic. Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell. External DNS Queries: Specifically looks for nslookup commands that provide a direct IP address for an external nameserver, bypassing the system's default, monitored DNS resolver. Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix technique to parse the "Name:" field from a DNS response and treat it as a secondary command for execution. Execution Chain: Monitors for the piping of this output directly into execution engines like PowerShell or IEX. Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight. To test your query, run nslookup -q=txt google.com 1.1.1.1 in a command prompt. This triggers your detection by requesting a TXT record while bypassing local DNS to use an external IP. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.
DNS Staging Detection: ClickFix-Inspired nslookup Execution
Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic. Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell. DNS Record Retrieval: Looks for nslookup commands that request TXT or ALL record types, which are commonly abused to stage content over DNS. Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix-inspired technique to parse returned DNS content and prepare it for follow-on execution. Execution Chain: Monitors for nslookup output being piped through findstr and for /f and then into cmd, which is a strong indicator of DNS response data being transformed into executable input. Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight. To test your query, run a command that matches the full pipeline pattern, for example: nslookup -q=txt google.com | findstr /i "Name" | for /f "tokens=*" %i in ('more') do cmd /c %i. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.
Domain Admin Enumeration
This query will detect Domain Admin Enumeration based on the Microsoft Defender for Identity Module This query will detect Domain Admin enumeration based on the Microsoft defender for Identity log sources.
Domain Controllers with high load
Domain controllers with either average CPU usage, average RAM usage that exceeds 80% or Available Disk space < 10GB. This indicates low capacity or unexpected excessive usage.
Domain Controllers with high load
Domain controllers with either average CPU usage, average RAM usage that exceeds 80% or Available Disk space < 10GB. This indicates low capacity or unexpected excessive usage.
Enriched Process Tree Association Events
The query filters for AssociateTreeIdWithRoot events, joins them with detection-pattern metadata from a CSV file, and outputs key fields like timestamp, host, pattern details and severity for analysis. In short, it enriches process-tree association events with contextual detection information. ## [AssociateTreeIdWithRoot](https://docs.crowdstrike.com/r/associatetreeidwithroot) This event is generated when there is a detection in the sensor. This event has a data field called PatternId that contains a pattern ID. Pattern IDs correspond to a detection. Reference[GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/AssociateTreeIdWithRoot%20to%20Pattern%20Details.md)
Enriched Process Tree Association Events
The query filters for AssociateTreeIdWithRoot events, joins them with detection-pattern metadata from a CSV file, and outputs key fields like timestamp, host, pattern details and severity for analysis. In short, it enriches process-tree association events with contextual detection information. ## [AssociateTreeIdWithRoot](https://docs.crowdstrike.com/r/associatetreeidwithroot) This event is generated when there is a detection in the sensor. This event has a data field called PatternId that contains a pattern ID. Pattern IDs correspond to a detection. Reference[GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/AssociateTreeIdWithRoot%20to%20Pattern%20Details.md)
Enumerate Windows Driver Loads
The query combines DriverLoad and Event_ModuleSummaryInfoEvent data to associate loaded driver hashes with their certificate details, simplifying file paths and aggregating filenames, subjects, and issuers for analysis of driver authenticity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Windows%20Driver%20Loads.md)
Enumerate Windows Driver Loads
The query combines DriverLoad and Event_ModuleSummaryInfoEvent data to associate loaded driver hashes with their certificate details, simplifying file paths and aggregating filenames, subjects, and issuers for analysis of driver authenticity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Windows%20Driver%20Loads.md)
Evaluate Operating System Prevalence
This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.
Evaluate Operating System Prevalence
This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.
Exploitable Critical Vulnerabilities
Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.
Exploitable Critical Vulnerabilities
Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.
External Connectons with Process
External Connectons with Process
Failed and Successful User Logon Events
This query correlates successful and failed logon attempts per user account to identify potential compromise patterns, focusing on accounts with 4+ failed logons. It provides a comprehensive view of each user's authentication activity including password age and last successful access.
Failed and Successful User Logon Events
This query correlates successful and failed logon attempts per user account to identify potential compromise patterns, focusing on accounts with 4+ failed logons. It provides a comprehensive view of each user's authentication activity including password age and last successful access.